Well that has very little to do with the underlying issue, even though it quite possible was a workaround for you.

The issue is that the CSP guides “strongly recommends” against using inline script and styling (evals too). I’m not too familiar with Avia framework and the inner workings of Enfold, but my guess is this is how it works (and will continue to work) by design.

In short (but not completely accurate): Some browsers (currently) enforce CSP versions differently from others. Your solution/workaround was to remove this safeguard completely.

A solução de contorno foi remover essa configuração do Virtual Host do Apache HTTPD. Iremos reavaliar a documentação do CSP para ajustar as diretivas de modo a permitir o carregamento dos elementos necessários. Por enquanto, iremos deixar desta forma.

My previous answer basically says that if you want to use enfold you have to lower your security enforcement/policy. CSP is a great safeguard against XSS and such exploits and by using ‘unsafe-inline’ config directive (or not using CSP at all) you expose yourself to this risk. Note that I’m not saying specifically that this makes Enfold theme unsafe to use. You just need to be aware that you cannot use this mitigation technique (which is quite common for important sites).

Edit:
To further clarify this is more of a WP issue than it is an Enfold issue. As a security minded admin it was a pain and I’ll keep updating/posting on the relevance of the initial error ‘unsafe-inline’ CSP directive.

Regarding mega menu’s and mobile it might be related to some of the recent changes. There’s a link with updated JS (while we wait for 4.1.3) in the thread https://kriesi.at/support/topic/sub-menu-do-not-appear-in-mobile-menu-since-4-1/